I am struggling with the order of operations in my timechart query. I need to show the number of Users who accessed a system daily over a 7 day period. My query shows the correct numbers for 1 day, but when I extend the timepicker to 7 days the numbers are incorrect. I've tried using dedup to get the distinct number of users, but this causes a problem when I extend the timepicker (it then dedupes users across 7 days instead of per day). Help.
index=foo sourcetype="bar" realm="keywords"
| stats dc(User) by _time, status
| timechart span=1d count by status
Finally figured it out. The correct timechart command was:
index=foo sourcetype="bar" realm="keywords"
| timechart span=1d distinct_count(User) by status
Finally figured it out. The correct timechart command was:
index=foo sourcetype="bar" realm="keywords"
| timechart span=1d distinct_count(User) by status
How are the 7-day numbers incorrect?
Have you tried ignoring status? Status shouldn't matter when you only care about user count.
So, for example, if I look at April 2 only I get 100 users (correct). If I extend the time picker to April 1 - 2, the numbers are April 1: 25 users (should be 50), April 2: 30 users (should be 100). I need status because I need the split-by count.